From 43013863ceb2c9c21c6e149db39ff0a36578288d Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Tue, 3 Sep 2024 13:33:22 -0500 Subject: [PATCH] feat(openstack): use External Secrets for service account This doesn't change any code or the actual service account that is being used but it defines it in a way that can be consumed by external secrets and sets the pathway for us to generate this in the future. We'd need either an operator to action on the service account secrets to keystone or some other way to keep them in sync. --- components/openstack/kustomization.yaml | 5 ++ .../openstack/secretstore-openstack.yaml | 65 +++++++++++++++++++ .../openstack/svc-acct-argoworkflow.yaml | 28 ++++++++ 3 files changed, 98 insertions(+) create mode 100644 components/openstack/secretstore-openstack.yaml create mode 100644 components/openstack/svc-acct-argoworkflow.yaml diff --git a/components/openstack/kustomization.yaml b/components/openstack/kustomization.yaml index c7f3ca442..29b5d8e8f 100644 --- a/components/openstack/kustomization.yaml +++ b/components/openstack/kustomization.yaml @@ -6,6 +6,11 @@ resources: - mariadb-configmap.yaml - mariadb-instance.yaml - openstack-cluster.yaml + # a secret store that let's us copy creds to other namespaces + # for service accounts + - secretstore-openstack.yaml + # defines the service account 'argoworkflow' used by our workflows + - svc-acct-argoworkflow.yaml helmCharts: - name: memcached diff --git a/components/openstack/secretstore-openstack.yaml b/components/openstack/secretstore-openstack.yaml new file mode 100644 index 000000000..60e7762f9 --- /dev/null +++ b/components/openstack/secretstore-openstack.yaml @@ -0,0 +1,65 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: eso-openstack +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + kubernetes.io/service-account.name: eso-openstack + name: eso-openstack.service-account-token +type: kubernetes.io/service-account-token +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: eso-openstack-role +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - get + - list + - watch + resourceNames: + - svc-acct-argoworkflow +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectrulesreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: eso-openstack-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: eso-openstack-role +subjects: +- kind: ServiceAccount + name: eso-openstack +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: openstack +spec: + provider: + kubernetes: + remoteNamespace: openstack + server: + caProvider: + type: ConfigMap + name: kube-root-ca.crt + key: ca.crt + namespace: openstack + auth: + serviceAccount: + name: eso-openstack + namespace: openstack diff --git a/components/openstack/svc-acct-argoworkflow.yaml b/components/openstack/svc-acct-argoworkflow.yaml new file mode 100644 index 000000000..a2e8975cd --- /dev/null +++ b/components/openstack/svc-acct-argoworkflow.yaml @@ -0,0 +1,28 @@ +apiVersion: generators.external-secrets.io/v1alpha1 +kind: Fake +metadata: + name: svc-acct-argoworkflow +spec: + data: + # this provider needs to go away for a generated account + # but it currently must be in sync with the keystone bootstrap + # script + # this should be the 'service' domain in the future + user_domain: default + username: argoworkflow + password: demo +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: svc-acct-argoworkflow +spec: + refreshInterval: 1h + target: + name: svc-acct-argoworkflow + dataFrom: + - sourceRef: + generatorRef: + apiVersion: generators.external-secrets.io/v1alpha1 + kind: Fake + name: svc-acct-argoworkflow